GDPR Compliance

Last updated: August 3, 2025

Our Commitment to GDPR

SpicyMagic is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR). This page outlines how we comply with GDPR requirements and your rights as a data subject.

Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract Fulfillment: Processing necessary to deliver our services to you
  • Legitimate Interests: Processing for business operations, security, and fraud prevention
  • Legal Obligations: Processing required by law or regulation
  • Consent: Processing based on your explicit consent (which you can withdraw at any time)

Your Rights Under GDPR

1. Right to Access (Article 15)

You have the right to request a copy of all personal data we hold about you. We will provide this information free of charge within 30 days of your request.

2. Right to Rectification (Article 16)

You can request that we correct any inaccurate or incomplete personal data we hold about you.

3. Right to Erasure / "Right to be Forgotten" (Article 17)

You can request that we delete your personal data when:

  • It's no longer necessary for the original purpose
  • You withdraw consent and there's no other legal basis
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

4. Right to Restrict Processing (Article 18)

You can request that we limit how we use your personal data while we investigate your concerns about its accuracy or our use of it.

5. Right to Data Portability (Article 20)

You can request your personal data in a structured, commonly used, and machine-readable format to transfer to another service provider.

6. Right to Object (Article 21)

You can object to processing of your personal data for direct marketing or based on legitimate interests.

7. Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affects you.

Data Protection Measures

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption: All data transmitted and stored is encrypted
  • Access Controls: Strict access controls and authentication requirements
  • Data Minimization: We only collect data necessary for specified purposes
  • Regular Audits: Security audits and vulnerability assessments
  • Staff Training: Regular privacy and security training for all employees
  • Privacy by Design: Data protection built into all our systems and processes

Data Processing Details

What We Collect

  • Store information (domain, email, API tokens)
  • Product configuration data
  • Analytics data (anonymized)
  • Technical data for service operation

How Long We Keep Data

  • Active account data: Duration of service + 30 days
  • Analytics data: 90 days rolling window
  • Session data: 60 minutes (automatic deletion)
  • Legal records: As required by law (typically 7 years)

Third-Party Processors

We use the following GDPR-compliant third-party processors:

  • Shopify: E-commerce platform (Data Processing Agreement in place)
  • Supabase: Database hosting (EU data centers available)
  • Upstash: Redis caching (GDPR compliant)
  • MaxMind: GeoIP services (Privacy Shield certified)

International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission
  • Your explicit consent for specific transfers

Data Breach Procedures

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay if high risk
  • Document all breaches and remedial actions taken
  • Implement measures to prevent future breaches

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

  • Email: privacy@spicymagic.app
  • Subject Line: "GDPR Rights Request"
  • Include: Your store domain and specific request
  • Response Time: Within 30 days

Data Protection Officer

For privacy concerns or questions about our GDPR compliance:

  • Email: dpo@spicymagic.app

Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority if you believe we have not adequately addressed your concerns.

Updates to GDPR Compliance

We regularly review and update our GDPR compliance measures. Any material changes will be communicated to you via email and updated on this page.

This GDPR compliance statement is part of our broader commitment to data protection and should be read in conjunction with our Privacy Policy and Terms of Service.